If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Possible to crack WPA rainbow style?

Hey.
I've never really gone past the concept of WEP cracking, but now I am exploring the domain of WPA and WPA2 networks. There are a number of tutorials on how to crack WPA e.g. the dictionary attack and stuff, but I was wondering something...

Is is possible to crack a WPA PSK or WPA2 PSK key the same way as a hash (without a dictionary) by using rtgen (or a similar tool) to generate a number of rainbow tables based on a given SSID and then run rcrack to get the key?

Yes, coWPAtty has the abilty to use rainbow tables and at least one or two other cracking progs in BT3 can too. In fact im pretty sure it was Thorn (a honest to goodness internet celebrity! ) who came up with the idea of cracking WPAs with rainbow tables. There is also a repository on the internet of WPA rainbow tables for the top 1000 Essids out there.www.renderlab.net/projects/WPA-tables
unfortunately it weighs in at a hefty 34gigs.

Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

Yes, coWPAtty has the abilty to use rainbow tables and at least one or two other cracking progs in BT3 can too. In fact im pretty sure it was Thorn (a honest to goodness internet celebrity! ) who came up with the idea of cracking WPAs with rainbow tables. There is also a repository on the internet of WPA rainbow tables for the top 1000 Essids out there.www.renderlab.net/projects/WPA-tables
unfortunately it weighs in at a hefty 34gigs.

Yes, I thought up the basic concept, but Renderman, Joshua Wright, and Dragorn did all the heavy lifting. As far as the rest goes, I'm hardly a celebrity, and I'm pretty sure most of the people who know me would think that whole idea pretty damn funny. Thanks for the thought and the laugh though.

There is a smaller table that is only 7GB, that's also on Renderman's site.

Yes, I thought up the basic concept, but Renderman, Joshua Wright, and Dragorn did all the heavy lifting. As far as the rest goes, I'm hardly a celebrity, and I'm pretty sure most of the people who know me would think that whole idea pretty damn funny. Thanks for the thought and the laugh though.

There is a smaller table that is only 7GB, that's also on Renderman's site.

I have that signed picture of you hanging in my office.

A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Let me get this straight. The rainbow tables from render lab are in fact real rainbow tables, and not some lookup tables (like airolib) that have been precomputed for a number of SSID's from a large dictionary file. In this case you don't need a dictionary to crack WPA or to generate your own WPA rainbow tables for a given SSID tho that might take a long time.

Correct me, if I'm wrong.
Also, may I ask what the commands are to create WPA/WPA2 rainbow tables for a specified SSID?

Let me get this straight. The rainbow tables from render lab are in fact real rainbow tables, and not some lookup tables (like airolib) that have been precomputed for a number of SSID's from a large dictionary file. In this case you don't need a dictionary to crack WPA or to generate your own WPA rainbow tables for a given SSID tho that might take a long time.

Correct me, if I'm wrong.
Also, may I ask what the commands are to create WPA/WPA2 rainbow tables for a specified SSID?

Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

Let me get this straight. The rainbow tables from render lab are in fact real rainbow tables, and not some lookup tables (like airolib) that have been precomputed for a number of SSID's from a large dictionary file. In this case you don't need a dictionary to crack WPA or to generate your own WPA rainbow tables for a given SSID tho that might take a long time.

Correct me, if I'm wrong.

You've got it.

Generating a single SSID won't take too long with at modest password list. Theprez98's generated a custom table for a single SSID using the optimized 172,779 wordlist that were used for the CoWF's initial 7GB table. It took him about 30 minutes.

However, generating tables using large passphrase files and/or multiple SSIDs can and a lot of time. Producing WPA Tables is very processor intensive. When we (the Church of WiFI) produced the initial 7GB WPA Rainbow Tables, they were created on a cluster (of approximately 20 servers.) Those tables were computed with a dictionary of ~172,000 words, and it still took over a week.

The 33GB tables (1 million words) where generated on machines using special FPGA hardware (cost: ~$50k), which were optimized for computing the tables. While FPGA systems are several magnitudes faster than standard processors for this type of work, those tables still took about 3 days to generate.

Originally Posted by xCPPx

Also, may I ask what the commands are to create WPA/WPA2 rainbow tables for a specified SSID?

genpmk is the program, and is provided as part of the coWPAtty package. As Barry said, you can find at all the details on the link he posted.

For some reason I fail to find an answer to my original question in this thread. You all claim that what I asked for is very possible, but at the same time you provide me with means of attacking a WPA network that is different from what I asked for. If you read my posts carefully, you will notice that I asked for means that do not require a word list (or dictionary file, if you would) to work (and I'm not talking about brute-force). As far as I've read, the so-called "rainbow tables" from renderlabs are merely precomputed hash tables from a large wordlist, which means that if the sought passprase is not in the initial dictionary file, the attack will fail.

The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file.

My question was not about precomputing hash tables from a wordlist, but instead whether it is possible to break a WPA/WPA2 passphrase the same (similar) way as a MD5 hash by creating and using rainbow tables. And by saying "Rainbow tables", I mean Rainbow tables as defined in the Wikipedia. As far as I've searched I found no results on this kind of attack, but I guess you can't blame me for asking.

The rainbow table generator (rtgen) uses a reduction function to automatically generate a chain of passphrases (out of the current hash) based on a given character set. This is then repeated n-times to form a "rainbow chain" where only the initial value and the ending result are stroed. A large number of such chains form a rainbow table. The same process is then performed on the hash in question and should at some point the computed value match one of the ending results, the passphrase must be somewhere in that chain.

My question is whether a WPA/WPA2 passphrase can be broken this way by writing an appropriate reduction function and giving an option to specify a SSID as a salt.

Sorry, if I was beingh a bit rough, I just wanted to clarify a few things including the difference between a precomputed hash table and a rainbow table. I learned that the more specific I try to be, the more confusing I become.

xCPPx you are totally right!
They even say so on their first page "This page is to give a little more insight into the methodology and logic behind concieving and building the CoWF WPA-PSK Rainbow Tables (actually they are lookup tables but I just like the term 'rainbow tables' alot.)"
Just because some geek wants to use those words because they like it they fooled thousands of people and I am one of them. I downloaded the 33 GB and I can say now that it's the most useless thing I ever downloaded, not to mention waste of time.The only use I can see for those hashes is that if you happen to spot an ESSID that is among the 1000, and the password happens among the 1 milion, and you are so eager to crack it, you will save 2h (with an Intel 1.86GHz dual core).
So now google is filled with the wrong keywords leading to that site, making it harder for people who are actually interested if WPA is crackable rainbow style.